As stated in their press release, the importance of this issue was highlighted recently when Elections Ontario lost two USB keys containing the unencrypted personal information of as many as 2.4 million voters. In her investigation, Commissioner Cavoukian found the agency's failure to systematically address privacy and security issues was at the root of the problems.
Commissioner Cavoukian said,
In addition to the seven steps, the guide recommends organizations to develop privacy education and awareness training programs and designate a knowledgeable “go-to” person for privacy-related queries within the organization. Furthermore, processes and procedures are needed to verify compliance with privacy policies – such as comprehensive privacy audits of the organization and informal audits of the mobile devices of employees, to make sure they are protected by passwords and strong encryption.
The seven steps that organizations should consider implementing in order to effectively translate their privacy policies into privacy practices include:
- Link each requirement within the policy to a concrete, actionable item – operational processes, controls and/or procedures, translating each policy item into a specific practice that must be executed
- Demonstrate how each practice item will actually be implemented
- Develop and conduct privacy education and awareness training programs to ensure that all employees understand the policies/practices required, as well as the obligations they impose
- Designate a central “go to” person for privacy-related queries within the organization
- Verify both employee and organizational execution of privacy policies and operational processes and procedures
- Proactively prepare for a potential privacy breach by establishing a data breach protocol to effectively manage a breach
It is important to note that Ontario does not have it's own privacy law for the private sector, however, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) covers personal information collected, used or disclosed in the course of a commercial activity in provinces which do not have private sector legislation, and across borders – namely, Ontario, Saskatchewan, Manitoba, New Brunswick, Nova Scotia, Prince Edward Island and Newfoundland and Labrador. However, it does not apply to employee information in organizations in these provinces. Organizations covered by the Act for their customer information may wish to consider extending the same protections to their employee information.
Alberta, British Columbia, and Quebec each have a private sector privacy law that has been deemed to be substantially similar to PIPEDA. Therefore, PIPEDA does not apply to the intraprovincial collection, use or disclosure of personal information by private sector organizations subject to these provincial laws. PIPEDA continues to apply to federal works, undertakings or businesses in these provinces.
PIPEDA also applies to inter-provincial and international transactions involving personal information in the course of commercial activities.
In matters relating to health care, Ontario, has privacy legislation deemed substantially similar to PIPEDA.
PIPEDA sets ground rules for how organizations may collect, use or disclose information about individuals in the course of commercial activities. The law also gives individuals the right to see and ask for corrections to information an organization may have collected about them. If an organization’s customers think the organization is not living up to its responsibilities under the law, they have the right to lodge an official complaint.
Hence, Ontario organizations are accountable for the protection of personal information under their control, and should take the Commissioner's advice and make privacy part of their corporate culture. Private sector privacy legislation requires organizations to build privacy policies that outline how they collect, use and disclose their customers’ personal information.